Skip to content

SBOM-TOOL is a ctl tool that generates software bill of materials (SBOM) for software projects through source code warehouse, code fingerprint, construction environment, artifact information, artifact content, dependency construction and other dimensional information.

License

Notifications You must be signed in to change notification settings

jd-opensource/sbom-tool

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SBOM-TOOL

English | 简体中文

SBOM-TOOL is a ctl tool that generates software bill of materials (SBOM) for software projects through source code warehouse, code fingerprint, construction environment, artifact information, artifact content, dependency construction and other dimensional information.

Feature

Information collection

  • Collect source code engineering information, including warehouse address, version information, etc.
  • Collect and generate code fingerprints
  • Collecting engineering construction depends on environmental information
  • Collect the dependent components built by the project
  • Collect the final artifact package information
  • Collect artifact content information, including file name type, check code, etc.

SBOM document

  • Assemble SBOM documents
  • Standard format conversion,support domestic XSPDX, SPDX and other specifications, support JSON, TagValue and other formats
  • Canonical format check,support domestic XSPDX, SPDX and other specifications, support JSON, TagValue and other formats

Code fingerprint generation ability

language Is it supported
C/C++ yes
Java yes
C# yes
Dart yes
Golang yes
Javascript yes
Objective-C yes
Php yes
Python yes
Ruby yes
Rust yes
Swift yes
Lua yes

Dependent packet scanning capability

Configuration file parsing and binary package parsing related to the following programming languages are now supported, and more programming languages will be supported step by step.

Package Type Package Manager Parsing file support dependency graph
maven Maven
  • pom.xml
  • *.jar
  • *.war
  • [graph]maven-dependency-tree.txt(mvn dependency:tree -DoutputFile=maven-dependency-tree.txt)
yes
maven Gradle
  • *.gradle
  • .gradle.lockfile
  • [graph]gradle-dependency-tree.txt(gradlew gradle-baseline-java:dependencies > gradle-dependency-tree.txt)
yes
conan Conan
  • conanfile.txt
  • conan.lock
  • [graph]conan-graph-info.json(conan graph info -f json > conan-graph-info.json)
yes
npm NPM
  • package.json
  • package-lock.json
no
npm Yarn
  • [graph]yarn.lock
yes
npm PNPM
  • [graph]pnpm.lock
yes
golang Go Module
  • go.mod
  • Go Binary file
  • [graph]go-mod-graph.txt(go mod graph > go-mod-graph.txt)
yes
golang Glide
  • glide.yml
  • glide.yaml
no
golang GoDep
  • Godeps.json
no
golang Dep
  • Gopkg.toml
no
golang GVT
  • */vendor/manifest
no
pypi PIP
  • Pipfile.lock
  • *dist-info/METADATA
  • PKG-INFO
  • *requirements*.txt
  • setup.py
  • [graph]pipenv-graph.txt(pipenv graph > pipenv-graph.txt)
yes
pypi Poetry
  • [graph]poetry.lock
yes
conda Conda
  • environment.yml
  • environment.yaml
  • package-list.txt
no
composer Composer
  • composer.json
  • composer.lock
no
cargo Cargo
  • Cargo.toml
  • [graph]Cargo.lock
  • Rust Binary file
yes
carthage Carthage
  • Cartfile
  • Cartfile.resolved
no
swift SwiftPM
  • Package.swift
no
cocoapods Cocoapods
  • Podfile.lock
  • Podfile
  • *.podspec
yes
gem Gem
  • [graph]Gemfile.lock
  • Gemfile
  • *.gemspec
yes
nuget NuGet
  • [graph]*.deps.json
  • *.csproj
  • *.vbproj
  • *.fsproj
  • *.vcproj
  • *.nuget.dgspec.json
  • *.nuspec
  • packages.json
  • packages.lock.json
yes
pub Pub
  • [graph]pub-deps.json(dart pub deps --json > pub-deps.json)
  • pubspec.lock
  • pubspec.yaml
yes
rpm RPM
  • *.spec
no
deb DEB
  • *.deb
  • *.control
no
lua LuaRocks
  • *.rockspec
no
bower Bower
  • *.spec
no

Architecture

SBOM-TOOL architecture

Installation

  1. Download source code compilation(go 1.18 or above is required)
    git clone [email protected]:JD-opensource/sbom-tool.git
    cd sbom-tool
    make
    Generate program binaries for various system architectures by default
    • Linux X86_64:sbom-tool-linux-amd64
    • Linux arm64:sbom-tool-linux-arm64
    • Windows X86_64:sbom-tool-windows-amd64.exe
    • Windows arm64:sbom-tool-windows-arm64.exe
    • MacOS amd64: sbom-tool-darwin-amd64
    • MacOS arm64: sbom-tool-darwin-arm64

Or install via go install

   go install gitee.com/JD-opensource/sbom-tool/cmd/sbom-tool@latest

Or install via downloading the binary: SBOM-TOOL Releases

Subcommands

subcommand function
help Help about any command
artifact collect artifact information
assembly assembly sbom document from document segments
completion Generate the autocompletion script for the specified shell
convert convert sbom document format
env build environment info
fingerprint generate code fingerprint
generate generate sbom document
package collect package dependencies
source collect source code information
validate validate sbom document format
info get tool introduction information
modify modify sbom document properties

Parameter description

Parameters Short parameter describe Use exampl
--log-level log level (debuginfowarnerror) --log-level info
--log-path log output path (default "$home/sbom-tool/sbom-tool.log") --log-path /tmp/sbom.log
--quiet -q no console output --quiet
-q
--ignore-dirs dirs to ignore, skip all dot dirs, split by comma. sample: node_modules,logs --ignore-dirs log,logs
--language -l programming language (Currently supported:javacpp)(Default “*”) --language java
-l cpp
--parallelism -m number of parallelism(Default 8) --parallelism 4
-m 9
--output -o output file,The result file is produced in the current directory by default. --output /tmp/sbom.json
--src -s project source directory(use project root if empty) (default ".") --src /tmp/sbomtool/src/
--path -p Specify the project project home directory; the assemble subcommand is used to specify the temporary document path for each phase --path /tmp/sbomtool/
--dist -d distribution directory (default ".") --dist /tmp/sbomtool/bin/
--format -f Specify SBOM document format(Currently supported:xspdx-jsonspdx-jsonspdx-tagvalue )(Default spdx-json) --format xspdx-json
-f spdx-json
--input -i Specify the SBOM document as input --input /tmp/sbom.jsom

SBOM Document specification and format

specification format SBOM document format status
XSPDX JSON xspdx-json Supported
SPDX JSON spdx-json Supported
SPDX TagValue spdx-tagvalue Supported

User guide

Generate code fingerprints only based on the source code path

sbom-tool fingerprint -m 4 -s ${src_path}  -o fingerprint.json --ignore-dirs .git

Generate an SBOM document and specify the format

sbom-tool generate -m 4 -p ${project_path} -s ${src_path} -d ${dist_path}  -o sbom.spdx.json -f spdx-json --ignore-dirs .git  -n ${name} -v ${version} -u ${supplier} -b ${namespace}

Get tool introduction information

sbom-tool info

See document for details.

Development guide

See for details Development guide documentation

Problem feedback & contact us

If you encounter problems in use, you are welcome to submit ISSUE to us.

How to Contribute

SBOM-TOOL is a open source software component analysis tool, look forward to your contribution.

License

This project is licensed under MulanPSL2 - see the LICENSE file for details.

About

SBOM-TOOL is a ctl tool that generates software bill of materials (SBOM) for software projects through source code warehouse, code fingerprint, construction environment, artifact information, artifact content, dependency construction and other dimensional information.

Resources

License

Stars

Watchers

Forks

Packages

No packages published